Security Alert!

Imagine losing all of your professional experience in an instant. Say you go to sleep and you wake up and you have no memory of your company’s operations, the people, the processes, the customers, the systems and how it all operates.

Noelle Tarabulski

April 01, 2001

Noelle Tarabulski

Imagine losing all of your professional experience in an instant. Say you go to sleep and you wake up and you have no memory of your company’s operations, the people, the processes, the customers, the systems and how it all operates. That would be unsettling to say the least. Well, what I am about to tell you might scare you and I hope it does. Only the paranoid survive and in the case of your operating system’s security and accessibility, it is better to be safe than sorry.

Here is an all too likely scenario. You go to the office and find out that your data, software and entire communication structure does not work—nor will it ever be the same again. You find that your data is gone, your software is corrupted, and the history of your company’s transactions are no longer available. Don’t get me wrong. Many of you have great back-up systems in place as well as other precautions, but let me warn you all, it may not be as good, or as secure as you may think.

At this point in the technology curve, you as owner or senior manager should not believe, think or assume that your company’s data is adequately protected. You must know for certain. More than anything, you need to retain the right to access your data and systems.

Typical information technology systems are specifically vulnerable to a number of risks: sabotage by disgruntled people, inadvertent damage by less skilled users, intentional damage by outside vendors, general theft of intellectual property by people with no moral compass, and theft by people that want to do damage to your company. Most of us realize that controlling employees' value systems is beyond the ability of all of leaders. It is however, their responsibility to protect company data and systems from potential harm. I can say without a doubt, that the majority of businesses do not have adequate processes in place to manage risk to operating systems. And they do not have IT policies in place to protect themselves from errant and devious employees.

Ask any attorney whether it is easier to put someone in jail for stealing your two-year-old pick-up truck worth $20,000, or for intentionally damaging, stealing,or selling your intellectual property and operating systems. This is a wake-up call. The value of such a theft could truly be in the millions of dollars. Many builders say they are unconcerned about what other builders might use and learn from their systems. But the complete removal and theft of your entire operating system could occur if you are not savvy about protecting it. Traveling and working with many builders and IT professionals over the past year has made it clear to me that our legal system does not significantly protect companies if someone wanders away with critical data. Keep in mind, in some instances it is simply a lack of IT skills that can get you into trouble. At other times you can have less-than-scrupulous behavior going on that is masked as ineptness. Either way, the results can be disastrous.

It is very important to be proactive and protect your company with a very clear and direct IT policy. Let’s review the areas of potential abuse and risk to your information backbone.

Connection to the outside world—Remember faster speed is great for work, but if you have bad people trying to access your data, they can work faster as well.

Multiple login methods—The more ways people can get into your system, the more they can disturb it. Control your access. Authenticate all users. Do not have passwords reside on laptops. Firms have had laptops stolen in airports. Limit your login methods where possible.

Out-sourced professionals—Know those with whom you work and the people they hire. If you have job turnover, change access pass codes immediately.

File management and permissions—Do not be lax about your file management. Set up an excellent structure. Make sure it is clear where certain people have access and others do not. This is critical and yet is poorly done by most companies. Poor management of this sets you up for severe risk of data loss.

Hire people that value integrity—If you do not have people with a high level of integrity running your IT system, you are at severe risk. If for any reason you doubt the integrity of the people accessing your system, you should have an audit done by an outside firm.

Physical location of your servers and back-up tapes—Lock your computer room. I have heard of instances where entire servers have been stolen. The only people that should be in your designated and secure computer room should be those people with unquestioned integrity. Know who has your back-up tapes and where they are stored. It should be your local bank in a safe-deposit box. Understand how to disconnect the physical hook-ups to the outside world if needed. Make sure all back-up systems work and are reliable.

Document your processes—Make sure all of your technology processes are at least outlined and reviewed by the president and leadership team. If you do not have all of the items documented, you should.

Also document system usage and Web usage intermittently throughout the year.

Network pass codes—Manage them well. If you get lax on pass codes, you can have significant issues occur with no way to track or make people accountable. Do not have pass codes shared and do not let others know your pass codes.

Software—Understand what software you have in place to recover lost data and software corruption. Are all of your servers backed up? If not, then why not? These are important questions. Many builders do not understand that they are at risk of losing significant data and management processes.

Management of administrator pass codes—In many systems these rights are tantamount to being a dictator on the system. An unskilled user that has administrative rights can effectively shut down the system without knowing what he or she has done.

I highly suggest only a limited few, highly skilled IT professionals have access. The owner or president should also have administrator rights but will probably have no need to exercise them, except on rare occasions.

These are the main areas of concern. The exact details of your vulnerability and risk should be discussed with your IT manager and other IT professionals. Do not delegate this task to others unless you are 100 percent sure of their competence. This could be a matter or your company’s survival in the case of any catastrophic loss of data via negligence, deception, theft or a power surge. How well would your company recover today from such an event and move on without losing time, money or important intellectual and operating assets?

In the next ten years, the ability to manage technology effectively will be a key competitive advantage. If you do not protect the very systems and processes that can deliver market advantages, you run the risk of losing what you have worked so hard to create.